Log message:
MFC update to Roundcube 1.3.6, a couple of fixes, the main one being:
"In Roundcube from versions 1.2.0 to 1.3.5, with the archive
plugin enabled and configured, it's possible to exploit the
unsanitized, user-controlled "_uid" parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism."
https://github.com/roundcube/roundcubemail/releases/tag/1.3.6

Log message:
update to Roundcube 1.3.6, a couple of fixes, the main one being:
"In Roundcube from versions 1.2.0 to 1.3.5, with the archive
plugin enabled and configured, it's possible to exploit the
unsanitized, user-controlled "_uid" parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism."
https://github.com/roundcube/roundcubemail/releases/tag/1.3.6

Log message:
update to Roundcube 1.3.6, a couple of fixes, the main one being:
"In Roundcube from versions 1.2.0 to 1.3.5, with the archive
plugin enabled and configured, it's possible to exploit the
unsanitized, user-controlled "_uid" parameter (in an archive.php
_task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform
an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a
sequence. NOTE: this is less easily exploitable in 1.3.4 and later
because of a Same Origin Policy protection mechanism."
https://github.com/roundcube/roundcubemail/releases/tag/1.3.6

Log message:
MFC security update to roundcubemail-1.2.5
"The updates primarily fix a recently discovered vulnerability in the
virtualmin and sasl drivers of the password plugin (CVE-2017-8114).
More details about this vulnerability will be published soon by the
reporter. Security-wise the update is therefore only relevant for those
installations of Roundcube using the password plugin with either one of
these drivers."

Log message:
security update to roundcubemail-1.2.5
"The updates primarily fix a recently discovered vulnerability in the
virtualmin and sasl drivers of the password plugin (CVE-2017-8114).
More details about this vulnerability will be published soon by the
reporter. Security-wise the update is therefore only relevant for those
installations of Roundcube using the password plugin with either one of
these drivers."

Log message:
security update to roundcubemail-1.2.5
"The updates primarily fix a recently discovered vulnerability in the
virtualmin and sasl drivers of the password plugin (CVE-2017-8114).
More details about this vulnerability will be published soon by the
reporter. Security-wise the update is therefore only relevant for those
installations of Roundcube using the password plugin with either one of
these drivers."

Log message:
MFC update to roundcubemail-1.2.3 (and sync README changes etc).
Note that the update to 1.2.2 added a new directory containing index.php and
various symlinks to the only files which need to be served directly; it is
strongly recommended that you use this new /var/www/roundcubemail/public_html
dir instead of /var/www/roundcubemail as your document root. This simplifies
your webserver configuration to exclude non-public files - logs etc - and is
especially helpful if using a web server that does not use .htaccess.

Log message:
Install a sample /var/www/roundcubemail/db/ directory with valid permissions,
for sqlite3 users. Philippe Leledy reported that it had to be created manually.
While there, add a sample nginx config section to the README.

Log message:
Install a sample /var/www/roundcubemail/db/ directory with valid permissions,
for sqlite3 users. Philippe Leledy reported that it had to be created manually.
While there, add a sample nginx config section to the README.

Log message:
Install a sample /var/www/roundcubemail/db/ directory with valid permissions,
for sqlite3 users. Philippe Leledy reported that it had to be created manually.
While there, add a sample nginx config section to the README.

Log message:
update to roundcube 1.2.0, including PHP7 compatibility, PGP encryption
(either server-side or client-side using the Mailvelope browser plugin),
and various other improvements and bug fixes.

Log message:
update to roundcube 1.2.0, including PHP7 compatibility, PGP encryption
(either server-side or client-side using the Mailvelope browser plugin),
and various other improvements and bug fixes.

Log message:
update to roundcube 1.2.0, including PHP7 compatibility, PGP encryption
(either server-side or client-side using the Mailvelope browser plugin),
and various other improvements and bug fixes.

Log message:
update to roundcube 1.2.0, including PHP7 compatibility, PGP encryption
(either server-side or client-side using the Mailvelope browser plugin),
and various other improvements and bug fixes.

Log message:
update to roundcube 1.2.0, including PHP7 compatibility, PGP encryption
(either server-side or client-side using the Mailvelope browser plugin),
and various other improvements and bug fixes.

Log message:
update to roundcube 1.2.0, including PHP7 compatibility, PGP encryption
(either server-side or client-side using the Mailvelope browser plugin),
and various other improvements and bug fixes.

Log message:
MFC update to roundcubemail-1.1.4, fixes potential path traversal vulnerability
https://www.htbridge.com/advisory/HTB23283 "Although the vulnerability is not
fully disclosed yet, the attack scenario requires an active Roundcube account
as well as write privileges on the same host Roundcube is served from (without
open_basedir protection)." Also adds protection against brute-force attacks.
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.4

Log message:
MFC update to roundcubemail-1.1.4, fixes potential path traversal vulnerability
https://www.htbridge.com/advisory/HTB23283 "Although the vulnerability is not
fully disclosed yet, the attack scenario requires an active Roundcube account
as well as write privileges on the same host Roundcube is served from (without
open_basedir protection)." Also adds protection against brute-force attacks.
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.4

Log message:
Patch roundcubemail to use STREAM_CRYPTO_METHOD_SSLv23_CLIENT when making an
imap connection.
PHP's STREAM_CRYPTO_METHOD_TLS_CLIENT is TLSv1.0 only "for BC with pre-5.6".
There's a STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT but it doesn't seem to actually
work, so use STREAM_CRYPTO_METHOD_SSLv23_CLIENT which (at least with libressl)
is TLS-only anyway.
Thanks PHP.
While there, add an explicit note to the README about the requirement to
disable suhosin session encryption now that we're using the extension in the
standard PHP packages.

Log message:
Patch roundcubemail to use STREAM_CRYPTO_METHOD_SSLv23_CLIENT when making an
imap connection.
PHP's STREAM_CRYPTO_METHOD_TLS_CLIENT is TLSv1.0 only "for BC with pre-5.6".
There's a STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT but it doesn't seem to actually
work, so use STREAM_CRYPTO_METHOD_SSLv23_CLIENT which (at least with libressl)
is TLS-only anyway.
Thanks PHP.
While there, add an explicit note to the README about the requirement to
disable suhosin session encryption now that we're using the extension in the
standard PHP packages.

Log message:
Patch roundcubemail to use STREAM_CRYPTO_METHOD_SSLv23_CLIENT when making an
imap connection.
PHP's STREAM_CRYPTO_METHOD_TLS_CLIENT is TLSv1.0 only "for BC with pre-5.6".
There's a STREAM_CRYPTO_METHOD_TLS_ANY_CLIENT but it doesn't seem to actually
work, so use STREAM_CRYPTO_METHOD_SSLv23_CLIENT which (at least with libressl)
is TLS-only anyway.
Thanks PHP.
While there, add an explicit note to the README about the requirement to
disable suhosin session encryption now that we're using the extension in the
standard PHP packages.

Log message:
Roundcube forces its own error_reporting options; adjust the mask to avoid
reporting E_DEPRECATED messages as there is a deprecation warning with Net_SMTP
that is unfixed upstream resulting in a lot of noise in roundcube's error log
for each sent message.

Log message:
Roundcube forces its own error_reporting options; adjust the mask to avoid
reporting E_DEPRECATED messages as there is a deprecation warning with Net_SMTP
that is unfixed upstream resulting in a lot of noise in roundcube's error log
for each sent message.

Log message:
update to roundcube 1.1.0, allows searches across multiple folders, better
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs

Log message:
update to roundcube 1.1.0, allows searches across multiple folders, better
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs

Log message:
update to roundcube 1.1.0, allows searches across multiple folders, better
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs

Log message:
update to roundcube 1.1.0, allows searches across multiple folders, better
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs

Log message:
update to roundcube 1.1.0, allows searches across multiple folders, better
support for screen readers and more.
Note: IE7/8 no longer supported by default but can be added with the
"legacy_browser" plugin.
There is new experimental anti-CSRF code (per-session tokens in URLs making
it harder for an attacker to generate a valid URL), this is not enabled by
default (requires rewrite support from the web server), for more info see
http://trac.roundcube.net/wiki/Howto_Config/Secure_URLs

Log message:
- update to 0.5.2: various bug fixes and robustness improvements, updated
tinymce (compatible with ie9)
- remove unnecessary patch
- add a hint to roundcubemail.conf suggesting that people may need
to adjust the timezone value if they have problems with invalid sessions

Log message:
- update to 0.5.2: various bug fixes and robustness improvements, updated
tinymce (compatible with ie9)
- remove unnecessary patch
- add a hint to roundcubemail.conf suggesting that people may need
to adjust the timezone value if they have problems with invalid sessions

Log message:
- update to 0.5.2: various bug fixes and robustness improvements, updated
tinymce (compatible with ie9)
- remove unnecessary patch
- add a hint to roundcubemail.conf suggesting that people may need
to adjust the timezone value if they have problems with invalid sessions

Log message:
- update to 0.5.2: various bug fixes and robustness improvements, updated
tinymce (compatible with ie9)
- remove unnecessary patch
- add a hint to roundcubemail.conf suggesting that people may need
to adjust the timezone value if they have problems with invalid sessions

Log message:
- update to 0.5.2: various bug fixes and robustness improvements, updated
tinymce (compatible with ie9)
- remove unnecessary patch
- add a hint to roundcubemail.conf suggesting that people may need
to adjust the timezone value if they have problems with invalid sessions

Log message:
- setting suhosin.session.encrypt per-dir doesn't seem to work
(even with suhosin.perdir set), so just force it in roundcubemail.conf
and remove the program/include/iniset.php patch.
- adjust permissions so the web-based installer can be used as pointed
out by aja, this used to be dangerous but is now controlled by the main
config file and defaults to 'off'.
- bump, adjust MESSAGE

Log message:
- setting suhosin.session.encrypt per-dir doesn't seem to work
(even with suhosin.perdir set), so just force it in roundcubemail.conf
and remove the program/include/iniset.php patch.
- adjust permissions so the web-based installer can be used as pointed
out by aja, this used to be dangerous but is now controlled by the main
config file and defaults to 'off'.
- bump, adjust MESSAGE

Log message:
- setting suhosin.session.encrypt per-dir doesn't seem to work
(even with suhosin.perdir set), so just force it in roundcubemail.conf
and remove the program/include/iniset.php patch.
- adjust permissions so the web-based installer can be used as pointed
out by aja, this used to be dangerous but is now controlled by the main
config file and defaults to 'off'.
- bump, adjust MESSAGE

Log message:
- setting suhosin.session.encrypt per-dir doesn't seem to work
(even with suhosin.perdir set), so just force it in roundcubemail.conf
and remove the program/include/iniset.php patch.
- adjust permissions so the web-based installer can be used as pointed
out by aja, this used to be dangerous but is now controlled by the main
config file and defaults to 'off'.
- bump, adjust MESSAGE

Log message:
- setting suhosin.session.encrypt per-dir doesn't seem to work
(even with suhosin.perdir set), so just force it in roundcubemail.conf
and remove the program/include/iniset.php patch.
- adjust permissions so the web-based installer can be used as pointed
out by aja, this used to be dangerous but is now controlled by the main
config file and defaults to 'off'.
- bump, adjust MESSAGE

Log message:
- fix path in roundcubemail.conf and set a few more required php options
- allow the upgrade script to work without disabling session.encrypt on the
whole server
- note in UPGRADING that virtusertable moved to a plugin, found the hard
way by ajacoutot
- in the mysql schema update script, uncomment a workaround for mysql bug
46293 which affects the in-tree mysql
- bump

Log message:
- fix path in roundcubemail.conf and set a few more required php options
- allow the upgrade script to work without disabling session.encrypt on the
whole server
- note in UPGRADING that virtusertable moved to a plugin, found the hard
way by ajacoutot
- in the mysql schema update script, uncomment a workaround for mysql bug
46293 which affects the in-tree mysql
- bump

Log message:
- fix path in roundcubemail.conf and set a few more required php options
- allow the upgrade script to work without disabling session.encrypt on the
whole server
- note in UPGRADING that virtusertable moved to a plugin, found the hard
way by ajacoutot
- in the mysql schema update script, uncomment a workaround for mysql bug
46293 which affects the in-tree mysql
- bump

Log message:
- fix path in roundcubemail.conf and set a few more required php options
- allow the upgrade script to work without disabling session.encrypt on the
whole server
- note in UPGRADING that virtusertable moved to a plugin, found the hard
way by ajacoutot
- in the mysql schema update script, uncomment a workaround for mysql bug
46293 which affects the in-tree mysql
- bump

Log message:
- fix path in roundcubemail.conf and set a few more required php options
- allow the upgrade script to work without disabling session.encrypt on the
whole server
- note in UPGRADING that virtusertable moved to a plugin, found the hard
way by ajacoutot
- in the mysql schema update script, uncomment a workaround for mysql bug
46293 which affects the in-tree mysql
- bump

Log message:
Remove patch-program_include_session_inc which was previously needed
to allow attachments to be downloaded by https, but doesn't seem necessary
now and has caused caching problems for IE users (including displaying a
logged-out user's inbox). Reported by Ibrahim Khalifa, discussed with
ajacoutot.

Log message:
Remove patch-program_include_session_inc which was previously needed
to allow attachments to be downloaded by https, but doesn't seem necessary
now and has caused caching problems for IE users (including displaying a
logged-out user's inbox). Reported by Ibrahim Khalifa, discussed with
ajacoutot.

Log message:
- update to an svn snapshot of roundcube, it has numerous fixes over the
last stable release.
- add an explicit note about AllowOverride, you get some strange problems
if this is set incorrectly which robert@ ran into.
ok ajacoutot@

Log message:
- update to an svn snapshot of roundcube, it has numerous fixes over the
last stable release.
- add an explicit note about AllowOverride, you get some strange problems
if this is set incorrectly which robert@ ran into.
ok ajacoutot@

Log message:
- update to an svn snapshot of roundcube, it has numerous fixes over the
last stable release.
- add an explicit note about AllowOverride, you get some strange problems
if this is set incorrectly which robert@ ran into.
ok ajacoutot@

Log message:
- update to an svn snapshot of roundcube, it has numerous fixes over the
last stable release.
- add an explicit note about AllowOverride, you get some strange problems
if this is set incorrectly which robert@ ran into.
ok ajacoutot@

Log message:
- update to an svn snapshot of roundcube, it has numerous fixes over the
last stable release.
- add an explicit note about AllowOverride, you get some strange problems
if this is set incorrectly which robert@ ran into.
ok ajacoutot@